Lite version of session.pl

[teolemon]

On android we used /cgi/session.pl to check the user login info. This call returns a html document that is parsed to "guess" the status.
Can we add an option to send back a much smaller payload, possibly JSON.
/cgi/session.pl?json=true
?

[hangy]

You could already use /cgi/sso.pl for that. As the calling user agent, you have the user's cookie and it to verify the session is still OK. For example, with the session cookie value user_session&SOMERANDOMSESSIONIDHERE&user_id&foobar, you could call https://world.openfoodfacts.org/cgi/sso.pl?user_id=foobar&user_session=SOMERANDOMSESSIONIDHERE and would get the following JSON object for a logged in user {"user_id":"foobar","name":"ˈfoo bar","email":"[email protected]"}. For an invalid session, {"user_id":null} is returned.

Alternatively, wait for #1714.

[stephanegigandet]

This is for the ios and android app, they have the user login and password, it's to verify it the first time.

[hangy]

I understand that, but IMHO we should focus on a token based authentication for apps instead of trying to patch the current way. 🤷‍♂

Just have them POST login data to /cgi/session.pl. If they get back a useful session cookie, the login was successful; otherwise the credentials were incorrect. (No need to parse the HTML.) In case they need additional information about the user or they need to verify that the session is still valid, they can query /cgi/sso.pl as described above.

[stephanegigandet]

That approach sounds good to me. :)

[teolemon]

https://world.openfoodfacts.org/cgi/sso.pl returns null for me

[teolemon]

@VaiTon relevant for your ongoing work

[VaiTon]

@hangy what about mobile native sign-up process?

[teolemon]

I believe the new #7465 solves this